(2 votes, average: 4.00 out of 5)

Loading...

• Facebook
• Twitter
• LinkedIn
• Mail

October 24, 2018 16

Subnetting and Masks: Separating IPv4 Addresses for Security and Routing

in Hashing Out Cyber Security

Everything you ever wanted to know about subnetting and masks, also a few things you didn’t want to know, too.

Some of you have probably heard of the term subnetting and some of you may even know what it is. There are statistics that show if you have heard of subnetting, then there is a larger-than-not chance that you also have no life.

This post will assume that you have not heard of subnetting and have no idea what it is (and that you lead a rich and fulfilling existence). This concept will include certain things like IP addresses and binary math but the general philosophy behind subnetting is based in security (through separation) and displays how necessary subnetting and masking is for IPv4 networking.

The term subnet and subnetting is sort of a generic term that encapsulates breaking the entire IP addressing scope into smaller divisions. To understand subnetting, we have to take a step back and understand IP addressing, binary math and the scope of the whole thing.

Finally, an IP Address Explanation

Most people have heard of an IP address. In a sense, it is similar to a physical address (not a MAC address, a different topic for another time) that one may have associated a house or a business with. If you wanted to send something (or navigate) to a house or business, knowing the address is a good first step. There is not much difference between that and an IP address.

Every networked computer/appliance will have an IP address associated with it. Many of the IP addresses that most people are familiar with are private IP addresses. Public addresses (with DNS) are what enables us to surf the web for untold wonders and cat videos. Private addressing allows us to communicate with computers within a particular private subnet, typically for file sharing, providing services (Local mail server or print server), LAN gaming, etc.

In terms of private subnets, going back to the physical address analogy, imagine a company having a PO Box that receives all of the mail for all of their employees. If you wanted to send a package to John Doe at that company, you would address it to John Doe and provide his PO Box number. Then, someone from the company would gather the package and deliver it to John Doe. You might not know where John Doe’s office or location is, you just know that sending a package addressed to John Doe with the PO Box will get the package to a point in which it will be distributed to John Doe. As such, a gateway would receive all traffic for all of its hosts and then distribute it to those hosts with PAT (Port Address Translation), which is sometimes referred to as NAT (Network Address Translation).

Dissecting an IP Address

IPv4 Addresses consist of 4 x octets separated by a dot (.) Why are they called octets? Because each valid number can be represented by 8 x bits. Here is where we start with a little binary math. A binary number will consist of either a 0 or a 1. So, 2⁸ = 256. If we subtract 1, because 0 is a valid number here, then we are left with 255. Each octet can represent a number between 0 and 255. Here’s quick crash course on how binary math works:

Binary (0 or 1)	0	0	0	0	0	0	0	0
Decimal Equivalent	128	64	32	16	8	4	2	1

Let the number up top represent the binary number (either 1 or 0) and the numbers below represent its decimal or base 10 (the number base system we are all familiar with and taught from an early age). If the binary number above is a ‘1’, then you simply add up the corresponding base 10 number to get the binary number’s base 10 value. Any number can be represented in binary with enough bits.

Examples:

Decimal	8 Bit Binary	Binary
2	0 0 0 0 0 0 1 0	10
37	0 0 1 0 0 1 0 1	100101
98	0 1 1 0 0 0 1 0	1100010
200	1 1 0 0 1 0 0 0	11001000
255	1 1 1 1 1 1 1 1	11111111

(There is a ‘joke’ that goes, ‘There are 10 kinds of people in the world: those who understand binary and those who don’t.’ Get it? Even if it doesn’t get a laugh, you should get it, now.)

There are some special rules, which will be discussed later, but the general idea is that an IP address cannot contain an octet that is outside of 0-255. So, something that looks like 192.168.1.300 would not be valid, nor would something like -192.168.-1.100. Technically, 0.0.0.0 and 255.255.255.255 fits the rules but you would never see anything assigned with those addresses. They are used for something else.

If we need to go beyond the number 255 (which, you never will for an IPv4 octet), then you would just add another bit. The ninth bit would be 256.

So, a typical IP address can be represented in binary and would look like:

Decimal	Binary
192.168.1.100	11000000.10101000.00000001.01100100

Subnetting and Masks

Now, if we were to go through every possible IP address, it would looks something like 0.0.0.0, 0.0.0.1, 0.0.0.2….. If we were to accumulate the total number of IPv4 addresses it would look something like 2⁸ * 2⁸ * 2⁸ * 2⁸  = 2³²  = 4,294,967,296. Sound like a lot of IP addresses? It is but we are running out of public addresses. That is why there is a (delayed) push to migrate to IPv6 which is

2¹²⁸ = 340,282,366,920,938,463,463,374,607,431,768,211,456. There would likely never be a threat to run out of addresses from that number which is labeled 340 undecillion.

On smaller implementations (think small business/home use), our subnets are nice and clean. But, the subnets aren’t always nice and clean and it can help to break up addresses into subnets with just enough IP addresses. Confused? Understood. It will all be cleared up a bit next.

Now, we may have 20 computers that we want to have direct communication with each other. We could break up some of those potential IP addresses and say that they can talk to each other without restriction but communication to any other address needs to go through some other process/filter to communicate. This is where we can use subnetting. Subnetting can break up this entire addressing scope into smaller networks.

In order to define the scope of these smaller networks, we can utilize something called a subnet mask. Once again, you may or may not have seen subnet masks before but you likely have. They are often coupled with IP addresses. Subnet masks help define which part of the IP address defines the subnet and which part of the IP address defines the host (end user) portion. Let’s use a likely familiar IP scheme to understand it a little better. Consider the IP address (top) and subnet mask (middle) below:

IP Address	192	.	168	.	1	.	100
Subnet Mask	255	.	255	.	255	.	0
Subnet Mask (in Binary)	11111111	.	11111111	.	11111111	.	00000000

Going from left to right, the alignment will go from subnetwork definition to host definition where anything in the binary representation with a ‘1’ would define the subnetwork and anything with a ‘0’ would represent the host. What does this mean? This means that this IP address is in the subnet = 192.168.1.0 with subnet mask = 255.255.255.0. Shorthand (AKA CIDR, Classless Inter-Domain Routing), this can be written 192.168.1.0 /24 where the ‘/24’ represents the number of subnetwork bits active in the mask.

A Few Quick Rules About Subnet Masks

Active network bits have to be consecutive across all octets

Valid subnet mask:

11111111	.	11110000	.	00000000	.	00000000	Equals: 255.240.0.0 and is valid and can shorthanded as ‘/12’ because there are 12 active subnetwork bits (1s)
11111111	.	11111111	.	11111111	.	10000000	Equals: 255.255.255.128 and is valid and can shorthanded as ‘/25’ because there are 25 active subnetwork bits (1s)
10000000	.	00000000	.	00000000	.	00000000	Equals: 128.0.0.0 and is valid and can shorthanded as ‘/1’ because there is 1 active subnetwork bit

Invalid subnet masks:

11111111	.	11101000	.	00000000	.	00000000	Equals: 255.232.0.0 and is invalid. All the active subnetwork bits (across all octets) are not consecutive.
11111111	.	11111111	.	00000000	.	00000001	Equals: 255.255.0.1 and is invalid. All the active subnetwork bits (across all octets) are not consecutive.
11111111	.	00000000	.	11111111	.	00000000	Equals: 255.0.255.0 and is invalid. All the active subnetwork bits (across all octets) are not consecutive.

Due to this, the only real valid numbers for a subnet mask are:

00000000	10000000	11000000	11100000	11110000	11111000	11111100	11111110	11111111
0	128	192	224	240	248	252	254	255

The first IP address in a subnet is used to define the subnet that an IP address is in. For example, the IP address that is 192.168.1.100 /24 is said to be in the subnet = 192.168.1.0 /24

That subnet definition cannot be assigned to a host machine.

The last IP address in a subnet is used as a broadcast address

• Broadcast addresses can be used to send communication to all host machines in a subnet
• It is often used for networking/security purposes
• That broadcast address cannot be assigned to a host machine

When defining the amount of usable host machines in a subnet, we must always subtract 2: 1 x for the subnet definition and 1 x for the broadcast definition.

So, What Exactly Does This Mean?

As mentioned earlier, the IP address = 192.168.1.100 /24 is part of the 192.168.1.0 /24 subnet. So, any other machine can have an IP address in that subnet, with its own unique host number and it would be in that subnet and can communicate to another machine in that subnet without the need for a router (gateway). So, a machine that has an IP address that is 192.168.1.200 /24 would be in the same subnet. And because the subnet mask is /24, that means that the entire last octet can be used to define host machine – 2⁸ = 256 – 2 = 254 usable addresses. (Remember, we subtracted 2 because 1 x is used to define the subnet and 1x is used to define the broadcast IP). IPs in that subnet could be assigned to a gateway (each subnet needs a gateway if it will communicate outside of its subnet, maybe a local DNS, and any other machine/host in that subnetwork).

So, what if our subnet masks aren’t so “clean” meaning that the entire octet, or trailing, consecutive octets, are fully available for host designation? The general math to figure out how many usable hosts is as such:

(2^h1 * 2^h2 * 2^h3 * 2^h4) -2 where each h is the amount of host bits per octet. Huh? Examples, here we go!

Example 1:

Subnet Mask	255	.	255	.	255	.	0
Subnet Mask (in binary)	11111111	.	11111111	.	11111111	.	00000000
Usable Hosts	20	*	20	*	20	*	28	= 1 * 1 * 1 * 256 = 256 -2 = 254
Example of network definition IP	10	.	10	.	10	.	0
Example of Broadcast definition IP	10	.	10	.	10	.	255
Example of usable host IPs in the same subnet using that mask	10.10.10.145	10.10.10.254	10.10.10.4

Example 2:

Subnet Mask	255	.	255	.	0	.	0
Subnet Mask (in binary)	11111111	.	11111111	.	00000000	.	00000000
Usable Hosts	20	*	20	*	28	*	28	= 1 * 1 * 256 * 256 = 65,536 -2 = 65,534
Example of network definition IP	172	.	16	.	0	.	0
Example of Broadcast definition IP	172	.	16	.	255	.	255
Example of usable host IPs in the same subnet using that mask	172.16.54.255	172.16.147.34	172.16.255.254

Example 3:

Subnet Mask	255	.	255	.	224	.	0
Subnet Mask (in binary)	11111111	.	11111111	.	11100000	.	00000000
Usable Hosts	20	*	20	*	25	*	28	= 1 * 1 * 32 * 256 = 8,192 -2 = 8,190
Example of network definition IP	192	.	168	.	32	.	0
Example of Broadcast definition IP	192	.	168	.	63	.	255
Example of usable host IPs in the same subnet using that mask	192.168.47.128	192.168.50.228	192.168.63.254

Example 4:

Subnet Mask	255	.	255	.	255	.	192
Subnet Mask (in binary)	11111111	.	11111111	.	11111111	.	11000000
Usable Hosts	20	*	20	*	20	*	26	= 1 * 1 * 1 * 64 = 64 -2 = 62
Example of network definition IP	192	.	168	.	32	.	0
Example of Broadcast definition IP	192	.	168	.	32	.	63
Example of usable host IPs in the same subnet using that mask	192.168.32.1	192.168.32.35	192.168.32.60

What Else With This?

A few things to point out:

• We often see the subnet masks as “clean”, typically a /24, because that accommodates most networks and is just easier to work with. We may see something like /23 which would basically double the amount of usable hosts.
  • Example 2 above, has 65,534 usable hosts. That is a big freakin’ subnet. You don’t see this utilized too often where the hosts will be mostly used but there certainly could be applications.
• As mentioned in a previous article, any host that wants to communicate to a host in another subnet needs a router. Inter-subnet communication only requires switching.
  • In example 4, the example IP of 192.168.32.35 is in a different subnet than 192.168.32.67. If 2 x hosts with these IP addresses need to communicate, there would be a need for a router (gateway).
• What about a subnet mask of 255.255.255.254? Let’s look at the math:

Subnet Mask	255	.	255	.	255	.	254
Subnet Mask in binary	11111111	.	11111111	.	11111111	.	11111110
Usable Hosts	20	*	20	*	20	*	21	= 1 * 1 * 1 * 2 = 2 – 2 = 0

• Zero usable hosts?! Yeah, no good. You won’t see this as a subnet mask except in point to point links for WAN interface which uses no broadcast IP. As far as I know, it is not commonly used.
• Classful subnetting can classify certain IP address into classes. Here is a good example of how the classes are broken up
• DHCP (Dynamic Host Configuration Protocol) is our friend in most cases. It assigns IP addresses, subnet masks, gateway addresses and DNS for hosts that are calling for it. How does a host initiate requests for DHCP? Through a network broadcast! The DHCP server, whether router, firewall, Raspberry Pie or actual server tower, is listening for the broadcast. The host is all like, “Yo, I need an IP address so I can YouTube cat videos. Who can help?” and the DHCP server is all like, “Oh yeah! I can help you there. Pass me your MAC address and Ill pass back the network info.” DHCP is best for machines that can join and leave a network dynamically. Such as, cell phones, laptops, etc.
• Static addressing is also our friend. While MAC binding is an option for DHCP, sometimes setting a good ol’ fashion static IP address for certain hosts will guarantee that IP address will not change. They are good for servers, particularly DNS but not exclusive to that.

There is a lot more to this and we will examine other aspects of networking in the future. Based off of this article, there is no need to scrutinize but stay safe and happy scrutinizing anyway!